Ensure there is an Amazon CloudWatch alarm created within your AWS cloud account that is triggered each time an unauthorized API call is made in order to respond quickly to unapproved actions.
This rule can help you with the following compliance standards:
- CISAWSF
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using Amazon CloudWatch alarms to detect unauthorized AWS API requests can help you keep your AWS account secure. For example, when managing the permissions of a large number of IAM users, mistakes can be made and certain users can receive unintended IAM access. With CloudWatch alarms these unintended API calls can be automatically detected, enabling you to act fast and revoke the unintended access.
Note 1: For this rule, Trend Cloud One™ – Conformity assumes that your Amazon CloudTrail trail is configured to stream event log data to a CloudWatch Logs log group, otherwise see this rule to enable and configure the CloudTrail – CloudWatch integration.
Note 2: You can specify a custom name for the CloudWatch alarm using the rule configuration settings available on your Conformity account console.
Audit
To determine if there is an Amazon CloudWatch alarm that is monitoring unauthorized API calls within your AWS cloud account, perform the following actions:
Remediation / Resolution
Step 1: Create the Amazon SNS topic and subscription required to send email notifications whenever the Amazon CloudWatch alarm configured to detect unauthorized API calls is triggered:
Step 2: Create the CloudWatch metric filter and the associated CloudWatch alarm that will fire whenever an authorization failure will occur within your AWS cloud account:
References
- AWS Documentation
- Amazon CloudWatch Concepts
- Creating CloudWatch Alarms for CloudTrail Events: Examples
- Sending CloudTrail Events to CloudWatch Logs
- Create a Topic
- Subscribe to a Topic
- Creating Amazon CloudWatch Alarms
- Create or Edit an Alarm
- AWS Command Line Interface (CLI) Documentation
- logs
- describe-metric-filters
- sns
- create-topic
- subscribe
- put-metric-filter
- confirm-subscription
- cloudwatch
- put-metric-alarm